On July 22, 2009, Sen. Patrick Leahy (D-VT) reintroduced S. 1490, the Personal Data Privacy and Security Act (“PDPSA”), which has been referred to the Senate Judiciary Committee. The reintroduced PDPSA is substantially similar to the prior version reported out by the Judiciary Committee in 2007, which was co-sponsored by then-Sen. Barack Obama. Among the provisions of the proposed law are a mandated adoption and maintenance of a comprehensive information security program, a national data breach notification law, and regulation of data broker services. Further, while the bill as currently drafted reflects many commonly accepted principles of data privacy and security underlying existing federal and state laws, it deviates from current laws and standards regarding data security and breach notification on several noteworthy points. Although passage of this legislation during the current session of Congress is far from certain, the existing PDPSA draft may foreshadow future legislative and regulatory trends.
Federal Data Breach Notification Requirement including Federal Criminal Penalties and State
Title III, Subtitle B of the currently drafted PDPSA contains a data breach notification requirement in the event of unauthorized access (or reasonable belief that unauthorized access has occurred) to sensitive personally identifiable information (“SPII”) of any resident of the United States. Notification may be provided in writing, by telephone, or via email (if the affected individual has consented to email notice). In addition to standard provisions for notice to national credit reporting agencies and media outlets, the proposed law requires notification to the U.S. Secret Service within 14 days if the security breach involves:
· the acquisition (or is reasonably believed to involve the acquisition) of the SPII of more than 10,000 individuals by an unauthorized person;
· a database or other system containing the SPII of more than 1,000,000 individuals;
· a database owned by the federal government; or
· the SPII of federal law enforcement or national security personnel.
Criminal Penalties for Concealment of a Security Breach
Under the current draft of PDPSA, knowing concealment of a security breach that results in economic damage to any person would be subject to criminal penalties including fines and imprisonment for up to 5 years. See PDPSA § 102. Notification may be exempted if a written certification that notification would damage national security or hinder a law enforcement investigation is transmitted to, reviewed by, and approved by the Secret Service. While this provision appears to be intended to increase the number of reported breaches, the risk of criminal prosecution depends upon a showing of economic damage to an individual. Historically, courts have found it quite difficult to trace economic harm to a specific data breach. Nevertheless, the specter of criminal sanctions would be impossible to ignore.
Encryption Safe Harbor
The draft legislation contains a safe harbor from the notification requirement if a risk assessment concludes that there is no significant risk of harm to individuals because the compromised data was encrypted or otherwise rendered indecipherable or inaccessible. See PDPSA § 312(b). Safe harbor risk assessments must be provided to the Secret Service within 45 days of discovery. Covered entities may rely upon the risk assessment if the Secret Service has not informed the entity otherwise within 10 days thereafter. This continues the trend of breach notification laws designed to encourage encryption of sensitive information, particularly on backup tapes, laptops, and other portable devices. It should be noted that the proposed law explicitly includes access controls among the list of ways to render SPII inaccessible, which would be a noticeable evolution in breach notification law. Ultimately, it would be left to the discretion of the Secret Service to determine whether any access controls were sufficiently secure to render the risk of public harm insignificant.
Fraud Prevention Program Exemption
The draft PDPSA does not require notification for breaches that involve only credit card numbers or security codes if the covered entity participates in a fraud prevention program designed to block unauthorized transactions before they are charged to an individual’s account. See PDPSA § 312(c). However, if the breach involves any other form of SPII or credit card numbers combined with an individual’s name, entities are still obligated to provide appropriate notice.
Justice Department and State AGs Authorized to Pursue Civil Enforcement Actions
In addition to the criminal penalties discussed above, the United States Department of Justice and state Attorneys General would be authorized to bring civil enforcement actions for violations of the data breach notification rules. See PDPSA §§ 317-318. The draft PDPSA authorizes equitable relief and civil penalties of up to $1,000 per day per affected individual up to a maximum value of $1,000,000 per violation unless the violation is found to be willful or intentional. Similar to the criminal penalties provision, this appears to be intended to increase the number of breaches that are reported to the public, as well as indirectly incentivize covered entities to harden security measures protecting SPII.
Broad Preemption Clause
The provisions of the draft PDPSA expressly preempt all federal and state data breach laws. See PDPSA § 319. If passed into law, this clause would establish one uniform breach notification regime for all entities engaged in interstate commerce, superseding the existing patchwork of state notification laws as well as the federal health data breach notification requirements recently introduced by the HITECH Act.
Expansive Definition of Sensitive Personal Identifiable Information
The draft PDPSA contains a definition of SPII that is more expansive than existing data security and breach notification regimes. SPII includes the following categories of data:
1. A financial account number or credit/debit card number with the associated security code or PIN.
2. A person’s first name and last name or first initial and last name combined with:
a. a non-truncated Social Security Number or government identification number;
b. unique biometric data;
c. unique account identifier, electronic identification number, user name, or routing code combined with any associated security code or password required to obtain money, goods, services, or any other thing of value; or
d. any two of
i. home address or telephone number,
ii. mother’s maiden name, and/or
iii. month, day, and year of birth.
See PDPSA § 3(12). Accordingly, the required data security program and data breach notification procedures would apply to a greater amount of information than current regulatory schemes. For example, a table of user names and passwords maintained by a web merchant may be subject to a covered entity’s information security program and breach notification requirements, which would ordinarily not be the case under current state and federal law. This may be particularly true for merchants that allow customers to use email addresses as their user ID because many email addresses contain the first and last name or first initial and last name of the user. Similarly, web merchants that allow users to select freeform user IDs may find that many customers use their actual names.